The "Antivirus Is Dead" Myth
Security vendors have been declaring traditional antivirus dead for a decade. EDR (endpoint detection and response), behavioural analysis, and AI-based threat intelligence are all superior to simple signature-based scanning — and they are right. But that does not mean regular file scanning has no value.
What Traditional Scanning Still Catches
1. Known Malware in File Transfers
When you receive a file from someone else — a colleague, a vendor, a contractor — it may not come through your email gateway or corporate endpoint protection. It might arrive via USB, file sharing, a personal device, or a cloud storage link. A quick scan before opening is a fast, reliable safety check.
2. Dormant Threats
Not all malware executes immediately. Files can sit on a system for weeks before being triggered. Behavioural detection only fires when the malware runs. A proactive scan can find known-bad files before execution.
3. Offline and Air-Gapped Environments
EDR and AI-based tools typically require cloud connectivity to function. In an air-gapped environment — a factory floor, a classified network, a legacy industrial control system — traditional signature-based scanning is often the only option.
4. Verification by a Second Engine
No single antivirus engine catches 100% of threats. Scanning a file through a different engine than the one on your endpoint is a legitimate defence-in-depth strategy. This is why services like VirusTotal run a file through dozens of engines simultaneously.
What Has Changed?
The difference in 2026 is about layering, not replacement:
| Layer | What It Catches |
|---|---|
| Email gateway | Phishing, malicious attachments in email |
| Endpoint protection (EDR) | Runtime threats, behavioural anomalies |
| File scanner | Known signatures; received files before opening |
| Network monitoring | Lateral movement, C2 communication |
File scanning is one layer in a stack, not the whole defence.
Best Practices for File Scanning
- Scan before opening any file received through a channel outside your standard email/endpoint tools.
- Scan after downloading from the internet, regardless of the site's reputation.
- Scan compressed archives (.zip, .rar, .7z) — not just the outer file.
- Keep signatures updated — a scanner with 6-month-old signatures provides limited protection.
- Use a second opinion — use an online scanner as a complement to your local AV.
Conclusion
Regular virus scanning is not a substitute for modern endpoint security. It is a complement to it — fast, simple, and effective for the specific use case of checking files received from outside your standard security perimeter. In 2026, that use case is more common than ever.